WordPress PowerPress 10.0 Cross Site Scripting Vulnerability

On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

We contacted Blubrry on April 6, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on April 10, 2023. We commend the PowerPress development team for their swift response and timely patch release.

We urge users to update their sites with the latest patched version of PowerPress, version 10.0.4 at the time of this writing, as soon as possible.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.

Vulnerability Summary From Wordfence Intelligence

Title: PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 

Plugin: PowerPress 

Plugin Slug: powerpress

Affected Versions: <= 10.0

CVE ID: CVE-2023-1917 

CVSS Severity Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 

Researcher: Alex Thomas 

Fully Patched Version: 10.0.2

Technical Analysis

PowerPress is a plugin that allows WordPress users to publish and manage podcasts. It provides a shortcode ([powerpress]) that allows users to display the PowerPress player on a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. A closer examination of the code reveals that the ‘powerpress_shortcode_handler’ function did not adequately sanitize user-supplied input and a number of functions (for various podcast player options) that utilize the shortcode attributes did not adequately escape output.

The powerpress_shortcode_handler function 

The powerpress_shortcode_handler function

The powerpress_generate_embed function creates an iframe using unescaped shortcode attributes. 

The powerpress_generate_embed function creates an iframe using unescaped shortcode attributes.

This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected, it will execute each time a user accesses the affected page. Threat actors could potentially steal sensitive information, manipulate site content, or redirect users to malicious websites.

Disclosure Timeline

April 5, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in PowerPress and initiates responsible disclosure.

April 6, 2023 – We get in touch with the development team at Blubrry and send full disclosure details.

April 7, 2023 – The vendor acknowledges the report and begins working on a fix.

April 10, 2023 – The fully patched version, 10.0.1, is released.

April 11, 2023 – Wordfence confirms the fix addresses the vulnerability.

April 14, 2023 – Blubrry releases an additional patch (version 10.0.2) to address a workaround

Conclusion

In this blog post, we have detailed a stored XSS vulnerability within the PowerPress plugin affecting versions 10.0 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 10.0.2 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of PowerPress.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence 
and potentially earn a spot on our leaderboard.